Set the NSX-T Edge Management Gateway
Firewall Rules for
To enable on
your SDDC environment that uses
VMware
NSX-T
®, you must create
firewall rules between your on-premises data center and the Management Gateway. After the
initial firewall rules configuration, you can add, edit, or delete any rules as needed. - Verify that you have activated on the SDDC.
- Log in to the VMware Cloud Services Console at https://console.cloud.vmware.com/csp/gateway/discovery.
- Launch theVMware Cloud on Dellservice.
- Access NSX Manager from theVMware Cloud on Dell EMCConsole.
- To add a rule, clickADD RULEand give the rule aName.
- Enter the parameters for the new rule.Parameters are initialized to their default values (for example,AllforSourcesandDestinations). To edit a parameter, move the mouse pointer over the parameter value and click the pencil icon to open a parameter-specific editor.
- Sources: Do the following:
- SelectAnyto allow traffic from any source address or address range.Although you can select Any as the source address in a firewall rule, using Any as the source address in this firewall rule can enable attacks on yourvCenter Serverand may lead to compromise of your SDDC. As a best practice, configure this firewall rule to allow access only from trusted source addresses. See VMware Knowledge Base article 84154.
- SelectSystem Defined Groupsand selectvCenterto allow traffic from your SDDC's vCenter Server.
- Destinations: Do the following:
- SelectAnyto allow traffic to any destination address or address range.
- SelectSystem Defined Groupsand selectvCenterto allow traffic from your SDDC's vCenter Server.
The new rule is enabled by default. - Repeat the previous step to apply the following firewall rules for .NameSourceDestinationServiceActionRemote SRM tovCenter ServerUser-Defined Group that includes the remote IP address.vCenterHTTPS (TCP 443)AllowRemote VR tovCenter ServerUser-Defined Group that includes the remote IP address.vCenterHTTPS (TCP 443)AllowRemote network toSRM(SRM Server Management)User-Defined Group that includes the remote and IP addresses.VMware Site Recovery SRMAllowRemote network toVR(VM Replication)User-Defined Group that includes the remoteESXihosts IP addresses.VMware Site Recovery vSphere ReplicationAllowRemote network toVR(VR Server Management)or User-Defined Group that includes the remote and IP addresses.VMware Site Recovery vSphere ReplicationAllowRemote network toVR(UI and API)User-Defined Group that includes the remote browser IP address.VMware Site Recovery vSphere ReplicationAllowSRM(HTTPS) to remote networkAny or User-Defined Group that includes the remotePlatform Services ControllerandvCenter ServerIP addresses.HTTPS (TCP 443)AllowVR(HTTPS) to remote networkAny or User-Defined Group that includes the remotePlatform Services ControllerandvCenter ServerIP addresses.HTTPS (TCP 443)AllowSRM(SRM Server Management) to remote networkAny or User-Defined Group that includes the remote IP address.VMware Site Recovery SRMAllowVR(SRM Server Management) to remote networkAny or User-Defined Group that includes the remote IP address.VMware Site Recovery SRMAllowESXi(VM Replication) to remote networkESXiAny or User-Defined Group that includes the remote IP addresses (combined appliance and any add-on appliances).VMware Site Recovery vSphere ReplicationAllowSRM(VR Server Management) to remote networkAny or User-Defined Group that includes the remote IP address.VMware Site Recovery vSphere ReplicationAllowVR(VR Server Management) to remote networkAny or User-Defined Group that includes the remote IP address.VMware Site Recovery vSphere ReplicationAllow
- ClickPUBLISHto create the rule.
- Repeat the procedure at the secondVMware Cloud on Dell EMCSDDC.